package cn.dxj1016.lesson03;

import cn.dxj1016.lesson02.utils.JdbcUtils;

import java.sql.*;

public class SQL注入 {
    public static void main(String[] args) {
        //login("zhangsan","123456");
        login("'' or 1=1","123456");

    }

    //    登录业务
    public static void login(String username, String password) {
        Connection connection = null;
        PreparedStatement preparedStatement = null;
        ResultSet resultSet = null;
        try {
            connection = JdbcUtils.getConnenction();//获取数据库连接
//            preparedStatement 防止SQL注入的本质，把传递进来的参数当做字符
//            假设其中存在转义字符，比如说 ' 会被直接转义
            String sql = "SELECT * FROM users WHERE `NAME`=? AND `PASSWORD`=?";//Mybatis
            preparedStatement = connection.prepareStatement(sql);//获得SQL的执行对象
            preparedStatement.setString(1, username);
            preparedStatement.setString(2, password);
            resultSet = preparedStatement.executeQuery();
            while (resultSet.next()) {
                System.out.println(resultSet.getString("NAME"));
                System.out.println(resultSet.getString("PASSWORD"));
                System.out.println("=============================================");
            }

        } catch (SQLException e) {
            e.printStackTrace();
        }finally {
            JdbcUtils.release(connection,preparedStatement,resultSet);
        }
    }
}
/*
执行结果：

 */
